Re: [Sshmgmt] Agent forwarding
peter@notatla.org.uk Sat, 20 April 2013 12:23 UTC
Return-Path: <peter@notatla.org.uk>
X-Original-To: sshmgmt@ietfa.amsl.com
Delivered-To: sshmgmt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0E9B21F8F5C for <sshmgmt@ietfa.amsl.com>; Sat, 20 Apr 2013 05:23:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.904
X-Spam-Level:
X-Spam-Status: No, score=-0.904 tagged_above=-999 required=5 tests=[AWL=0.830, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uxEdXYwffVqP for <sshmgmt@ietfa.amsl.com>; Sat, 20 Apr 2013 05:23:55 -0700 (PDT)
Received: from notatla.org.uk (dsl-217-155-246-43.zen.co.uk [217.155.246.43]) by ietfa.amsl.com (Postfix) with ESMTP id 56E7321F8D6A for <sshmgmt@ietf.org>; Sat, 20 Apr 2013 05:23:52 -0700 (PDT)
Received: by notatla.org.uk (Postfix, from userid 508) id D670D80048; Sat, 20 Apr 2013 13:23:50 +0100 (BST)
Date: Sat, 20 Apr 2013 13:23:50 +0100
To: sshmgmt@ietf.org
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <20130420122350.D670D80048@notatla.org.uk>
From: peter@notatla.org.uk
Subject: Re: [Sshmgmt] Agent forwarding
X-BeenThere: sshmgmt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This list will discuss SSH key management practices. The starting point will be to consider what to do with draft-ylonen-sshkeybcp" <sshmgmt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sshmgmt>, <mailto:sshmgmt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sshmgmt>
List-Post: <mailto:sshmgmt@ietf.org>
List-Help: <mailto:sshmgmt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sshmgmt>, <mailto:sshmgmt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Apr 2013 12:23:56 -0000
Simon Josefsson writes: > Briefly, if a remote system has been compromised, and you connect to it > using 'ssh -A', the remote system can use your credentials to login to > other systems. Normally there is no user feedback of what is going on > either. I've seen uses of 'ForwardAgent yes' in people's .ssh/config > which is risky and IMHO a problem worthy of attention. This is a risk but it's difficult to deal with without removing the non-interactive SSO that the agent provides and is the reason people use it. Also from the man page: "Several identities can be stored in the agent; the agent can automatically use any of these identities." What I think could be done are: a) logging by the agent when it computes a challenge The log to include the host public key which the challenge proves correct and fresh. I'm guessing that's possible (even if it meant reworking the challenge) but haven't studied it. The aim is that when you are blamed for a login you show in the agent log how it was assisted by the agent during contact with some other list of hosts - one of which is now suspected of using the agent without user consent. b) real-time display by the agent when it computes a challenge c) limit the agent instance by number/rate of challenges d) limit the agent instance by which hosts/identities it will compute challenges for (again assuming it knows which that is).
- [Sshmgmt] Agent forwarding Simon Josefsson
- Re: [Sshmgmt] Agent forwarding peter
- Re: [Sshmgmt] Agent forwarding Tatu Ylonen